[kernel] r16579 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Sat Nov 20 23:32:02 UTC 2010
Author: dannf
Date: Sat Nov 20 23:31:59 2010
New Revision: 16579
Log:
can-bcm: fix minor heap overflow (CVE-2010-3874)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/can-bcm-fix-minor-heap-overflow.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Sat Nov 20 23:13:40 2010 (r16578)
+++ dists/lenny-security/linux-2.6/debian/changelog Sat Nov 20 23:31:59 2010 (r16579)
@@ -24,6 +24,7 @@
- Limit socket I/O iovec total length to INT_MAX.
- Resolves kernel heap overflow in the TIPC protcol (CVE-2010-3859)
* net: ax25: fix information leak to userland (CVE-2010-3875)
+ * can-bcm: fix minor heap overflow (CVE-2010-3874)
-- dann frazier <dannf at debian.org> Thu, 30 Sep 2010 21:42:24 -0600
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/can-bcm-fix-minor-heap-overflow.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/can-bcm-fix-minor-heap-overflow.patch Sat Nov 20 23:31:59 2010 (r16579)
@@ -0,0 +1,31 @@
+commit c90009b2c4900984bcb1220d67c0b03c5fa19322
+Author: Oliver Hartkopp <socketcan at hartkopp.net>
+Date: Tue Aug 17 08:59:14 2010 +0000
+
+ can-bcm: fix minor heap overflow
+
+ [Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+ On 64-bit platforms the ASCII representation of a pointer may be up to 17
+ bytes long. This patch increases the length of the buffer accordingly.
+
+ http://marc.info/?l=linux-netdev&m=128872251418192&w=2
+
+ Reported-by: Dan Rosenberg <drosenberg at vsecurity.com>
+ Signed-off-by: Oliver Hartkopp <socketcan at hartkopp.net>
+ CC: Linus Torvalds <torvalds at linux-foundation.org>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/can/bcm.c b/net/can/bcm.c
+index 4d21e40..061df5e 100644
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -120,7 +120,7 @@ struct bcm_sock {
+ struct list_head tx_ops;
+ unsigned long dropped_usr_msgs;
+ struct proc_dir_entry *bcm_proc_read;
+- char procname [9]; /* pointer printed in ASCII with \0 */
++ char procname [20]; /* pointer printed in ASCII with \0 */
+ };
+
+ static inline struct bcm_sock *bcm_sk(const struct sock *sk)
Modified: dists/lenny-security/linux-2.6/debian/patches/series/25lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/25lenny2 Sat Nov 20 23:13:40 2010 (r16578)
+++ dists/lenny-security/linux-2.6/debian/patches/series/25lenny2 Sat Nov 20 23:31:59 2010 (r16579)
@@ -20,3 +20,4 @@
+ bugfix/all/net-truncate-recvfrom-and-sendto-length-to-INT_MAX.patch
+ bugfix/all/net-limit-socket-io-iovec-total-length-to-INT_MAX.patch
+ bugfix/all/net-ax25-fix-information-leak-to-userland.patch
++ bugfix/all/can-bcm-fix-minor-heap-overflow.patch
More information about the Kernel-svn-changes
mailing list